New Custom Backdoor Used by Chinese Hackers to Bypass Detection Measures - 1

New Custom Backdoor Used by Chinese Hackers to Bypass Detection Measures

  • Written by Ari Denial Cybersecurity & Tech Writer

The prime targets of the attack by the infamous Chinese APT group, Mustang Panda, are government and political organizations spanning Asia and Europe.

Since the start of this year, Mustang Panda, the Chinese cyber espionage group, has been observed using a new custom backdoor called ‘MQsTTang’ in their attacks. Mustang Panda has a history of targeting organizations globally and utilizing their custom remote access trojan (RAT), PlugX, to steal data.

However, this time, the group has developed the MQsTTang backdoor malware to increase the difficulty of detection and attribution. Furthermore, Mustang Panda has begun using other customized tools, including PUBLOAD, TONESHELL, and TONEINS.

One way to achieve persistence for malware is by creating a new registry key in “HKCU\Software\Microsoft\Windows\CurrentVersion\Run”, which enables the malware to launch automatically during system startup. Once the system is rebooted, the malware executes only the C2 communication task, which allows it to communicate with its command and control server.

Researchers from ESET have identified MQsTTang in an ongoing campaign that began in January 2023. The campaign is directed towards government and political organizations in Europe and Asia, with a specific focus on Ukraine and Taiwan.

The distribution of the malware occurs through spear-phishing emails, and the payloads are downloaded from GitHub repositories created by a user linked to previous Mustang Panda campaigns.

The MQsTTang executable is compressed into RAR archives and named after diplomatic themes, such as passport scans of embassy and diplomatic mission personnel. Upon execution, the malware generates a duplicate with a command-line argument that allows it to execute tasks like enabling C2 communications or guaranteeing persistence.

MQsTTang distinguishes itself by utilizing the MQTT protocol for C2 communications, which enhances its resilience to C2 takedowns, conceals the infrastructure employed by the hackers, involves a broker for transmitting communications, and verifies the absence of debuggers/monitoring tools to evade detection.

“This new MQsTTang backdoor provides a kind of remote shell without any of the bells and whistles associated with the group’s other malware families,” according to ESET’s report.

WH Smith, Leading British Retailer, Confirms Data Breach Following Cyberattack - 2

WH Smith, Leading British Retailer, Confirms Data Breach Following Cyberattack

  • Written by Ari Denial Cybersecurity & Tech Writer

WH Smith, a retail company based in the UK, has experienced a security breach that has resulted in the exposure of data pertaining to both past and present employees.

With over 12,500 employees and a reported revenue of $1.67 billion in 2022, WH Smith operates 1,700 locations throughout the United Kingdom.

WH Smith’s cyberattack adds to a growing list of recent attacks on UK businesses, including a ransomware attack on Royal Mail’s international postal services that resulted in an extended period of downtime.

According to WH Smith, there is currently no indication that the cybercriminals accessed banking details in the attack. The retail chain also confirmed that the breach did not impact its trading operations. Its website, customer accounts, and customer databases remained unaffected as they are hosted on separate systems.

Despite the absence of financial data compromise in the cyberattack, Richard Hollis, CEO of Risk Crew, has expressed concern over the incident due to the exposure of personal information belonging to WH Smith’s employees.

Jasson Casey, CTO at Beyond Identity, emphasized the significance of the cyberattack on WH Smith as a further indication that cybercriminals are increasing the frequency and intensity of their attacks.

WH Smith has confirmed that its trading business was not impacted by the cyberattack. The retail company also assures that customer data remained secure as it is stored on separate systems that were not affected by the unauthorized access.

WH Smith has released a cybersecurity notice through London’s Stock Exchange, stating that the company experienced a cyber security incident resulting in unlawful access to certain company data, including data pertaining to both past and present employees.

According to WH Smith, “upon becoming aware of the incident, we immediately launched an investigation, engaged specialist support services, and implemented our incident response plans, which included notifying the relevant authorities.”

WH Smith has stated that it will directly notify individuals who have been impacted by the cyberattack and that it will provide special measures to support them, which may include identity protection services.